Criminal Justice Insider

The Computer Fraud and Abuse Act (“CFAA”) is one of law enforcement’s key tools in fighting cybercrime. Despite being enacted in 1986, well before the rise of the modern internet, it has been a cornerstone of prosecutions for cybersecurity breaches that do not neatly fit in the traditional confines of mail and wire fraud prosecutions. However, in Van Buren v. United States, No. 19-783, decided on June 3, 2021, the Supreme Court substantially limited the scope of criminal liability under the CFAA.

By way of background, the CFAA outlaws access to a protected computer without authorized access or in excess of the permitted access. 18 U.S.C. § 1030, et. seq. A “protected computer” is any computer used in or affecting interstate or foreign commerce. 18 U.S.C. § 1030(e)(2). To exceed authorized access is to access a computer without authorization and to use such entry to obtain or alter information in the computer that the person retrieving the information is “not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(2) (emphasis added).

In Van Buren, a Georgia police officer accessed a law enforcement database from his patrol car to look up a license plate in exchange for money. The database search had no legitimate law enforcement purpose and violated departmental policy. Van Buren was convicted of violating the CFAA at trial and sentenced to eighteen months in prison. On appeal, the Court of Appeals for the Eleventh Circuit affirmed the conviction. However, the Supreme Court ultimately reversed the conviction finding that Van Buren could not be convicted under the CFAA because he was, in fact, authorized to access the license plate database.

The Supreme Court, with Justice Barrett, writing for the majority (J. Sotomayor, J. Gorsuch, J. Breyer, J. Kagan, J. Kavanaugh), held that the provision of the CFAA which covers unauthorized access requires a user to access an area of the computer, such as files, folders or databases, that they are not authorized to access. It does not prohibit access to a computer or network with appropriate authority but with improper motive.

Justice Barrett’s opinion turned on the definition of the word “so” in the statute. The phrase in the CFAA “entitled so to obtain” renders the word “so” a term of reference which means “the same manner as has been stated.” When this definition of the word “so” is read in concert with the definitional provision “via a computer is otherwise authorized to access” the only logical conclusion is that the statute only bans access to material on a computer which the user does not have authority to access. It does not prohibit accessing a database with authority but without a proper purpose. Accordingly, Van Buren’s conviction was reversed and the matter remanded.

The decision, though pedantic, is nonetheless critical to criminal liability for cybersecurity intrusion. For example, in light of Van Buren, a corporate employee who has proper authority to access corporate information but does so for an improper purpose can seemingly no longer be held liable under the CFAA. The sweeping impacts of Van Buren will surely be felt for years to come or until Congress modernizes America’s cybercrime statutes.

For more information on the topic discussed, contact:

• Adam M. Felsenstein  |  felsenstein@thsh.com  |  212-508-7533